I've got Apache authentication working (not on the directories I'm testing Dokuwiki in), and I can show ldapsearch output finding what I need found. But I can't get Dokuwiki to authenticate against our AD (I don't control the AD, or particularly understand it).
Here's the ldapsearch command, showing how to find the user:
ldapsearch -v -P 3 -D "CN=<redacted>,OU=Service Accounts,OU=MPLS,DC=redacted,DC=local" -y ldpwd.txt -H "ldap://prcdc1.redacted.local:3268" -x -s sub -b "dc=redacted,dc=local" -z 10 '(&(samaccountname=david.dyer-bennet)(objectclass=user))' dn samaccountname
And the output:
ldap_initialize( ldap://prcdc1.redacted.local:3268 )
filter: (&(samaccountname=david.dyer-bennet)(objectclass=user))
requesting: dn samaccountname
# extended LDIF
#
# LDAPv3
# base <dc=redacted,dc=local> with scope sub
# filter: (&(samaccountname=david.dyer-bennet)(objectclass=user))
# requesting: dn samaccountname
#
# David Dyer-Bennet, PRC MN Users, MPLS, redacted.local
dn: CN=David Dyer-Bennet,OU=PRC MN Users,OU=MPLS,DC=redacted,DC=local
sAMAccountName: david.dyer-bennet
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
So, here are the entries in local.php I'm trying:
$conf['useacl'] = 1;
$conf['openregister']= 0;
$conf['authtype'] = 'ldap';
$conf['auth']['ldap']['server'] = 'prcdc1.redacted.local';
$conf['auth']['ldap']['port'] = 3268;
$conf['auth']['ldap']['usertree'] = 'dc=redacted, dc=local';
$conf['auth']['ldap']['userfilter'] = '(&(objectclass=user)(samaccountname=${user}))';
$conf['auth']['ldap']['version'] = 3;
$conf['auth']['ldap']['binddn'] = 'CN=<redacted>,OU=Service Accounts,OU=MPLS,DC=redacted,DC=local';
$conf['auth']['ldap']['bindpw'] = 'redacted';
# Mapping can be used to specify where the internal data is coming from.
$conf['auth']['ldap']['mapping']['name'] = 'displayname'; # Name of attribute Active Directory stores it's pretty print user name.
$conf['auth']['ldap']['mapping']['grps'] = array('memberof' => '/CN=(.+?),/i'); # Where groups are defined in Active Directory
# Optional debugging
$conf['auth']['ldap']['debug'] = 1;
And, when I try to log in, I get (as debug lines at the top of the screen):
LDAP user search: Success [ldap.class.php:177]
LDAP search at: dc=redacted, dc=local (&(objectclass=user)(samaccountname=${user})) [ldap.class.php:178]
Sorry, username or password was wrong.
Anybody got a clue they might be able to share? I'm sure the bind password is right; if I change it to be deliberately wrong, I get the error "LDAP bind as superuser: Invalid credentials [ldap.class.php:56]". I'm sure I'm entering my Windows account password correctly, I've tried multiple times, and I use the password more than daily so I'm not confused about what it is.